当前位置：网站首页>How to implement approval function in Tekton

How to implement approval function in Tekton

2022-06-24 08:27:00 【Chenshaowen】

1. CICD The basic functions of the platform

common CICD The engine is not suitable for being directly provided to the business side . The main reason lies in the high learning cost of users 、 Lack of necessary authentication 、 It is difficult to maintain and upgrade .

We are usually based on process engines , Adapt to the business to improve ease of use , The convergence complexity of encapsulation for scenarios , So one CICD What are the basic functions of the platform ？

Process planning . Basic and core functions , With the help of an open source orchestration engine .
Process atom . The process atom is assembled into a pipeline , The richer the process atoms , The more it can meet the needs of the business side .
Process control . It mainly includes condition execution 、 Pause 、 continue 、 Approval, etc , Allows you to control the behavior of the pipeline .
Automatic triggering . adopt API、Webhook And so on , It will bring great convenience to the user .
Access control . As a user oriented platform , Permission control is indispensable .

Tekton As a child of Yunyuan CICD engine , Used to build for Kubernetes Infrastructure CICD platform , just the thing . What I want to share with you in this article is Tekton Process control , Especially the approval function .

2. Tekton Process control in

2.1 runAfter

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	- name: test-app taskRef: name: make-test resources: inputs: - name: workspace resource: my-repo - name: build-app taskRef: name: kaniko-build runAfter: - test-app resources: inputs: - name: workspace resource: my-repo

adopt runAfter Keywords can control the execution order of tasks , In the example above build-app Will be in test-app After execution, execute . Use runAfter It can realize the arrangement of the process .

2.2 conditions

First of all, create a Condition object , Check if the specified file exists in the code warehouse .

1 2 3 4 5 6 7 8 9 10 11 12 13	apiVersion: tekton.dev/v1alpha1 kind: Condition metadata: name: file-exists spec: params: - name: "path" resources: - name: workspace type: git check: image: alpine script: 'test -f $(resources.workspace.path)/$(params.path)'

Creating Pipeline when , Only need Task Quote this Condition, Provide necessary parameters . In the following example , Only if... Exists in the code warehouse README.md When you file ,my-task The task will be performed .

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23	apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: conditional-pipeline spec: resources: - name: source-repo type: git params: - name: "path" default: "README.md" tasks: - name: if-condition-then-run conditions: - conditionRef: "file-exists" params: - name: "path" value: "$(params.path)" resources: - name: workspace resource: source-repo taskRef: name: my-task

2.3 PipelineRunCancelled

When PipelineRun Spec The state in is PipelineRunCancelled when ,Reconciler Will cancel all in advance Task And update the status .

Reference code : https://github.com/tektoncd/pipeline/blob/c8dc797cf5a6f11f90cb742d014470a444fcdc60/pkg/reconciler/pipelinerun/pipelinerun.go#L147

See what's running pipelinerun

1 2 3 4	kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME cancel-pipelinerun-r-67qsr Unknown Running 51m

modify pipelineruns Of status by PipelineRunCancelled

1	kubectl patch PipelineRun cancel-pipelinerun-r-67qsr --type=merge -p '{"spec":{"status":"PipelineRunCancelled"}}'

View cancelled pipelinerun

1 2 3 4	kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME cancel-pipelinerun-r-67qsr False PipelineRunCancelled 52m 3s

2.4 PipelineRunPending

Except for the top PipelineRunCancelled state ,pipelinerun There is another state ,PipelineRunPending.PipelineRunPending The effect is , establish PipelineRun But not immediately

Create a PipelineRunPending State pipeline

1 2 3 4 5 6 7 8 9 10 11 12 13 14	--- apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: name: pending-pipelinerun spec: params: - name: pl-param-x value: "100" - name: pl-param-y value: "500" pipelineRef: name: pending-pipeline status: "PipelineRunPending"

Check the pipeline status

1 2 3 4	kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pending-pipelinerun Unknown PipelineRunPending

This pipeline has no execution time , Because it has been waiting .

remove PipelineRunPending state

1	kubectl patch PipelineRun pending-pipelinerun --type=merge -p '{"spec":{"status":""}}'

This pipeline starts to execute .

Check the pipeline status

1 2 3 4	kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME pending-pipelinerun Unknown Running 4s

Cannot modify a running pipeline to PipelineRunPending state

stay Tekton v0.24.1 The status cannot be modified to PipelineRunPending, If you run, you can achieve the effect of pause .

1 2 3 4	kubectl get pipelineruns.tekton.dev NAME SUCCEEDED REASON STARTTIME COMPLETIONTIME cancel-pipelinerun Unknown Running 9s

1 2 3	kubectl patch PipelineRun cancel-pipelinerun --type=merge -p '{"spec":{"status":"PipelineRunPending"}}' Error from server (BadRequest): admission webhook "validation.webhook.pipeline.tekton.dev" denied the request: validation failed: invalid value: PipelineRun cannot be Pending after it is started: spec.status

validation This operation is limited .

3. How to implement the approval function

It's mentioned above that Tekton Several process control methods in , But the community doesn't offer 、 It is not prepared to provide the approval function . therefore , In the face of Tekton During the secondary development , need CICD The platform realizes approval and authority control by itself . Here are two implementation options , For reference ：

3.1 Scheme 1 , Use Trigger

Pictured above , One pipeline of the user can be disassembled into two pipelines ,pipeline-1/2 and pipeline-2/2. One is introduced between the two pipelines trigger.

When pipeline pipeline-1/2 Execution complete , Notify the approver .
After approval by the approver , Trigger pipeline-2/2 perform .
pipeline-2/2 end of execution , Complete the whole assembly line .

Tekton The community provides a triggers Components , Used to automatically trigger the pipeline . Here's the picture :

After approval , Push a trigger event Event
EventController After receiving this incident , from TriggerBinding Extract the parameters in the event Parameters
TriggerTemplate Use the passed parameters Parameters, Create a pipeline pipeline-2/2 .

3.2 Option two , Develop an approval Task

Development Task yes Tekton The main extension of , Develop at the same time Task Just master the basic Shell and Yaml Knowledge is enough . Another idea here is to develop an approval Task.

Pictured above , In an assembly line , Insert a for approval control Task-Approve.

When using approval atoms , You need to create one synchronously ConfigMap, Used to save the approval status Status=init
When pipeline execution is completed Task-beforeApprove When the task , start-up Task-Approve Mission , modify state Status=notifying.Task-Approve The task has been waiting .
Send a notice to Approver, modify state Status=notified
The approver approves the assembly line , Allow to execute , modify state Status=success
Task-Approve detected Status=success, Immediately end the waiting state , Complete the current Task
The assembly line continues to perform the approved tasks Task-afterApprove, Until the end

Here's an example :

First create a ConfigMap Used to save approval status .

1 2 3 4 5 6	apiVersion: v1 kind: ConfigMap metadata: name: approve-cm data: status: init

Write an approved Task, Default wait 24 Hour approval , Otherwise, it will be overtime . If the status is changed to success Then it is approved , If the status is changed to refused Is rejected .

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: approve-task spec: workspaces: - name: data params: - name: timeout description: The max seconds to approve type: string default: "86400" steps: - name: sleep-a-while image: bash:latest script: | #!/usr/bin/env bash end=$((SECONDS+$(params.timeout))) while [ $SECONDS -lt $end ]; do name=$(cat "$(workspaces.data.path)"/status) if [ "$name" = "success" ] then echo "approved!" exit 0 elif [ "$name" = "refused" ] then echo "refused!" exit 1 fi sleep 2 echo "waiting" done echo "too long not to approve" exit 1

then , Create a test case

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: something annotations: description: | A simple task that do something spec: steps: - name: do-something image: bash:latest script: | #!/usr/bin/env bash uname -a --- apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: approve-pipeline spec: workspaces: - name: workspace tasks: - name: wait-for-approve workspaces: - name: data workspace: workspace taskRef: name: approve-task - name: do-something taskRef: name: something runAfter: - wait-for-approve --- apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: name: approve-pipelinerun spec: workspaces: - name: workspace configmap: name: approve-cm pipelineRef: name: approve-pipeline

View the pipeline after creation

The log will always output waiting.

Approved

1	kubectl patch ConfigMap approve-cm --type=merge -p '{"data":{"status":"success"}}'

Check the pipeline status

4. summary

It's going on Tekton Second development , Approval is a function that is difficult to bypass , But the community doesn't provide relevant features . This article first introduces Tekton Process control method in , Then it provides two schemes to realize the approval function . The following is a brief comparison and summary of the schemes :

4.1 Use Trigger The examination and approval

advantage

flexible , Implementation after approval , Completely controlled by the developer , More freedom . You can also use background tasks to replace Trigger, Use Tekton Client Create a pipeline .
reliable , Even the restart will not affect the approval .

shortcoming

There may be more than two pipelines after splitting .
Parameters need to be passed across the pipeline 、 product , Increased maintenance costs .
Increased architecture complexity , Introduced new components 、 Background processing logic

4.2 Develop an approval Task

advantage

Easy to use . One Pipeline only one DAG, Easy to understand .
More in line with Tekton How to expand .

shortcoming

The examination and approval Task When failed due to node failure , Can't recover
Occupy cluster resources , The examination and approval Task Resident cluster waiting .
ConfigMap The status is not updated in time , There will be a delay ( The default is in seconds ), The approximate value is kubelet The synchronization period of plus ConfigMap stay kubelet Cached TTL Time .